Tool Name Description Attack Methodology Syntax Example

Enumeration

ASS, the autonomous system scanner, is designed to find the AS of the

router. It supports the following protocols: IRDP, IGRP, EIGRP, RIPv1,
RIPv2, CDP, HSRP and OSPF. In passive mode (./ass -i eth0), it just listens
to routing protocol packets (like broadcast and multicast hellos). In active
mode (./ass -i eth0 -A), it tries to discover routers by asking for information.
This is done to the appropriate address for each protocol (either broadcast
or multicast addresses). If you specify a destination address, this will be ./ass [-v[v[v]]] -i <interface> [-p] [-c] [-A] [-M] [-P IER12]
used but may be not as effective as the defaults. EIGRP scanning is done -a <autonomous system start> -b <autonomous system stop>
differently: While scanning, ASS listens for HELLO packets and then scans I'm surprised at how useful this sounds and how much I want to play [-S <spoofed source IP>] [-D <destination ip>]
the AS directly on the router who advertised himself. You can force EIGRP with it. To be able to instantaneously sniff out routing packets can be [-T <packets per delay>]
scanning into the same AS-Scan behavior as IGRP uses by giving a used to quickly identify network endpoints and map potential hosts for
destination or into multicast scanning by the option -M. For Active mode, DNS or ARP spoofing. Especially useful when the default gateways Passive Mode: ./ass -I eth0 (listens to routing protocol packets)
you can select the protocols you want to scan for. If you don't select them, all do not have typical addresses (192.168.1.1 or 192.168.1.254) or when Active Mode: ./ass -i eth0 -A (tries to discover routers by asking for info)
1.1.1 Ass are scanned. they're not responding to ICMP ping requests.
1.1.2 DMitry
1.1.3 DNS-Ptr
A DNS Debugger that performs zone transfers of specified domains, and
checks the database in numerous ways for internal consistency. Requires Zone Transfers are used to transfer the DNS cache from a DNS server
1.1.4 dnswalk Per and the NET:DNS Perl Package KW(zone transfer) that has Zone Transfers enabled.
Useful to identify "hidden" hosts on a domain. This can lead to more
Used to make a brute force on name resolution domains. This tool resolved machines that were originally planned by the administrators to remain DNSBruteforce.py <domain> <list of name servers> <hostfile>
1.1.5 dns-bruteforce possible machine names from the supplied file on the specified domain. hidden by staying "unpublished". DNSBruteforce.py uclid.com servers.lst hosts-txt

DNS enummeration is important for mapping networks and identifying

potentially vulnerable hosts on a network or within a domain

Currently dnsenum can perform:

1) Get the host's addresse (A record).
2) Get the namservers (threaded).
3) Get the MX record (threaded).
4) Perform axfr queries on nameservers (threaded).
5) Get extra names and subdomains via google scraping (google
query = "allinurl: -www site:domain").
6) Brute force subdomains from file, can also perform recursion on
subdomain that have NS records (all threaded).
7) Calculate C class domain network ranges and perform whois
queries on them (threaded).
8) Perform reverse lookups on netranges ( C class or/and whois
Multithreaded Perl script to enumerate DNS information on a doman and to netranges) (threaded). see man or help file associated with tool
1.1.6 dnsenum discover non-contiguous IP blocks 9) Write to domain_ips.txt file ip-blocks. ./dnsenum.pl localhost -f dns.txt
1.1.9 Finger Google

Firewalk is an active reconnaissance network security tool that attempts to

determine what layer 4 protocols a given IP forwarding device will pass.
Firewalk works by sending out TCP or UDP packets with a TTL one greater
than the targeted gateway. If the gateway allows the traffic, it will forward the
packets to the next hop where they will expire and elicit an
ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the
1.1.10 Firewalk traffic, it will likely drop the packets on the floor and we will see no response.
Firewalk (or its methodology because BT4 doesn’t have it) should be
used when first testing a router or firewall to analyze the ports it will
allow and on what protocol. Some of the common protocols should be
tested first. Using this methodology, its also important to either know
or established a trusted host in which to spoof to gain more credibility firewalk [-dhinprSsTtvx] target_gateway metric
within the firewall.

host is a simple utility for performing DNS lookups. It is normally used to

convert names to IP addresses and vice versa. When no arguments or
options are given, host prints a short summary of its command line
arguments and options.

name is the domain name that is to be looked up. It can also be a dotted-
decimal IPv4 address or a colon-delimited IPv6 address, in which case host
will by default perform a reverse lookup for that address. server is an
optional argument which is either the name or IP address of the name server
that host should query instead of the server or servers listed in host [-aCdlnrTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-4] [-6] [
1.1.15 Host /etc/resolv.conf. -s ] {name} [server]

itrace is a traceroute program that traces through networks to find network
1.1.16 Itrace paths using ICMP Echo Request Packets instead of ICMP
The security benefit here is the attack is under the disguise of the
ICMP protocol which is generally considered safe. A lot of network
administrators keep ICMP available for troubleshooting purposes and
it's barely ever turned off. IP packets sent through a firewall with a Can use version IPv4 or IPv6 for tracerouting. By default, the program will try to
spoofed address of a known trust would be able to traverse the resolve the name given, and choose the appropriate protcol automatically. If
network using just the ICMP protocol thus rendering the firewall resolving a hostname returns both IPv4 and IPv6 addresses, traceroute will use
useless in network mapping and enummeration attempts. IPv4.

./netenum 10.1.2.3/25

netenum can be used to produce lists of hosts for other programs. It's not as
powerful as other ping-sweep tools, but it's simple. When giving a timeout, it
uses ICMP echo request to find available hosts. If you don't supply a
timeout, it just prints an IP address per line, so you can use them in shell
1.1.17 Netenum scripts.
1.1.18 Netmask Netmask simply displays all the values of a netmask based on the input.
1.1.19 Pirana
This script produces a list of IP addresses in a given range. It can HSRP attack:
take the network range as a single IP, a an IP and Netmask, and an IP for I in 'netenum 192.168.20.11/23'
with CIDR notation. It also takes hostnames. This can be used to do
quickly produce lists of IP addresses for a specified range, and to be ./hsrp -d ${i} -v172.16.0.11 -a cisco -g 1 -I eth0
used in scripts. done
This is valuable for interpreting CIDR notation because it allows you to
visually see the mask that gets applied to the IP address to compute
the routing. I'll be using this program to buff up on my CIDR notation ./netmask -d destination
for sure. ./netmask -d 192.168.2.4/16

Protos is a IP protocol scanner. It goes through all possible IP protocols and

uses a negative scan to sort out unsupported protocols which should be
reported by the target using ICMP protocol unreachable messages.
This allows you to see what protocols are running on a device. This
Normal output for a Windows host looks like this: can either narrow your search for a vulnerability or increase the
10.1.1.4 may be running (did not negate): possibility of finding one. Some protocols have vulnerabilies built in,
ICMP IGMP TCP UDP and this also allows you to see the type of communication that might
While a cisco router supports more: be traversing the wire. Ultimately this gives you a precursor at to what
10.1.1.1 may be running (did not negate): attacks you might want to perform based on what and what's not
1.1.20 Protos ICMP IPenc TCP IGP UDP GRE SWIPE MOBILE SUN-ND EIGRP IPIP running on the host. ./protos -i eth0 -d 10.1.2.3 -v
1.1.22 Relay Scanner
1.1.23 SMTP-Vrfy
Just as useful as itrace, but using another crafty covert method.
Again, by identifying a trust that is allowed to pass through a firewall
TCtrace is like itrace a traceroute(1) brother - but it uses TCP SYN packets you can spoof a service or packet to get to a destination host. This is
to trace. This makes it possible for you to trace through firewalls if you know very useful when enumerating inside of a firewall or looking for firewall
1.1.24 TCtrace one TCP service that is allowed to pass from the outside. holes to poke through. ./tctrace -i eth0 -d www.phenoelit.de

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP

space and hostnames against specified domains. It's really meant as a pre-
cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require
that you already know what IP space you are looking for. This does not
perform exploitation and does not scan the whole internet indiscriminately. perl fierce.pl -dns example.com -connect headers.txt
It is meant specifically to locate likely targets both inside and outside a perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co
corporate network. Because it uses DNS primarily you will often find mis- perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany
configured networks that leak internal address space. That's especially perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt
useful in targeted malware.
Fierce v1.0.3

Network Mapping

1.2.1 Amap 5.2

ASS, the autonomous system scanner, is designed to find the AS of the

router. It supports the following protocols: IRDP, IGRP, EIGRP, RIPv1,
RIPv2, CDP, HSRP and OSPF. In passive mode (./ass -i eth0), it just listens
to routing protocol packets (like broadcast and multicast hellos). In active
mode (./ass -i eth0 -A), it tries to discover routers by asking for information.
This is done to the appropriate address for each protocol (either broadcast
or multicast addresses). If you specify a destination address, this will be ./ass [-v[v[v]]] -i <interface> [-p] [-c] [-A] [-M] [-P IER12]
used but may be not as effective as the defaults. EIGRP scanning is done -a <autonomous system start> -b <autonomous system stop>
differently: While scanning, ASS listens for HELLO packets and then scans I'm surprised at how useful this sounds and how much I want to play [-S <spoofed source IP>] [-D <destination ip>]
the AS directly on the router who advertised himself. You can force EIGRP with it. To be able to instantaneously sniff out routing packets can be [-T <packets per delay>]
scanning into the same AS-Scan behavior as IGRP uses by giving a used to quickly identify network endpoints and map potential hosts for
destination or into multicast scanning by the option -M. For Active mode, DNS or ARP spoofing. Especially useful when the default gateways Passive Mode: ./ass -I eth0 (listens to routing protocol packets)
you can select the protocols you want to scan for. If you don't select them, all do not have typical addresses (192.168.1.1 or 192.168.1.254) or when Active Mode: ./ass -i eth0 -A (tries to discover routers by asking for info)
1.2.2 Ass are scanned. they're not responding to ICMP ping requests.
1.2.3 Autoscan 0.99_R1
 fping is a like program which uses the Internet Control Message Protocol
(ICMP) echo request to determine if a target host is responding. fping differs
from ping in that you can specify any number of targets on the command
line, or specify a file containing the lists of targets to ping. Instead of sending
to one target until it times out or replies, fping will send out a ping packet
and move on to the next target in a round-robin fashion.

In the default mode, if a target replies, it is noted and removed from the list
of targets to check; if a target does not respond within a certain time limit
and/or retry limit it is designated as unreachable. fping also supports sending
a specified number of pings to a target, or looping indefinitely (as in ping ).
Its always a good idea to have a program that allows for multiple
Unlike ping , fping is meant to be used in scripts, so its output is designed to inputs and easy output for parsing. Fping works just like regular ping
1.2.4 Fping be easy to parse. only it can be used in scripts and loops. Good shit. fping 192.168.2.4 192.168.2.5 192.168.4.66

Test firewall rules

Advanced port scanning
Test net performance using different protocols, packet size, TOS (type
of service) and fragmentation.
Path MTU discovery
Transferring files between even really fascist firewall rules.
Traceroute-like under different protocols.
Firewalk-like usage.
Remote OS fingerprinting.
hping2 is a network tool able to send custom TCP/IP packets and to display TCP/IP stack auditing.
target replies like ping program does with ICMP replies. hping2 handle
fragmentation, arbitrary packets body and size and can be used in order to Its a good idea to learn TCP/IP inside and out to be able to take
1.2.5 Hping transfer files encapsulated under supported protocols. complete advantage of this tool. See documentation for more information.
Discover and fingerprint IKE hosts (Ipsec, VPN Servers) by sending IKE
Phase-1 requests to the specified hosts and displays any responses Useful in identifying network entry points, identifying the specific IKE
1.2.6 IKE-Scan received implementation. See Documentation for more sytax information
1.2.7 IKEProbe
An active / passive arp reconnaissance tool, mainly developed to gain
information about wireless networks without dhcp servers in wardriving
scenarios. It can also be used on switched networks. Built on top of libnet
and libcap, it can passively detect online hosts or seach for them by sending Best used to inspect a network's ARP traffic, or find addresses with netdiscover -r (range) 1.1.1.1/24 [monitors arp packets on the given range]
1.2.8 Netdiscover arp requests. using auto-scan mode, which will scan for common local networks. See man page for more granular specification and syntax
The command line network mapping utility no security professional should
be without. Nmap does everything from network scanning to OS
identification. Low-level packet manipulation allows for crafty hacks and See documentation for more syntax information. Fyodor's Nmap network
1.2.9 Nmap command line quips for automation. A virtual swiss army knife, nmap has a 1001 and one uses. scanning is a great resource.
1.2.10 NmapFE

Generates absolutely no suspicious network traffic. The target

machines must either: connect to the network either spontaneously or
in an induced manner (trying to establish an ftp data stream, retrurning
Versitile passive OS fingerprinting tool based on analyzing the structure of a a bounced mail, performing authentication lookup, using IRC DCC,
TCP/IP packet to determine the operating system and other configuration external html mail image reference, etc.) or be contacted by some
properties of a remote host. The process is compeltely passive and does entity on your network using some standard means (such as web
1.2.11 P0f not generate any suspcious network traffic. browsing) see documentation

1) Dictionary cracking mode: this is the default mode in which psk-

crack tries each candidate word from the dictionary file in turn until it
finds a match, or all the words in the dictionary have been tried.
2) Brute-force cracking mode: in this mode, psk-crack tries all possible
psk-crack attempts to crack IKE Aggressive Mode pre-shared keys that have combinations of a specified character set up to a given length.
1.2.12 PSK-Crack been previously gathered using ike-scan with the --pskcrack option
1.2.13 Ping Really?.... No seriously… Really? I'm not even kidding… really? C'mon

Protos is a IP protocol scanner. It goes through all possible IP protocols and

uses a negative scan to sort out unsupported protocols which should be
reported by the target using ICMP protocol unreachable messages.
This allows you to see what protocols are running on a device. This
Normal output for a Windows host looks like this: can either narrow your search for a vulnerability or increase the
10.1.1.4 may be running (did not negate): possibility of finding one. Some protocols have vulnerabilies built in,
ICMP IGMP TCP UDP and this also allows you to see the type of communication that might
While a cisco router supports more: be traversing the wire. Ultimately this gives you a precursor at to what
10.1.1.1 may be running (did not negate): attacks you might want to perform based on what and what's not
1.2.14 Protos ICMP IPenc TCP IGP UDP GRE SWIPE MOBILE SUN-ND EIGRP IPIP running on the host. ./protos -i eth0 -d 10.1.2.3 -v

1.2.18 UnicornScan Asynchronous network stimulus delivery / response recoring tool
1.2.19 UnicornScan pgsql 0.4.6e module version 1.03 Automated unicornscan startup script
Active operating system fingerprinting tool with a different approach to
operating system fingerprinting. Relying on fuzzy signature matching,
probabilsitic guesses, multiple matches simultaneously, and a signature
1.2.20 XProbe2 database
PBNJ is a suite of tools to monitor changes on a network over time. It does
this by checking for changes on the target machine(s), which includes the
details about the services running on them as well as the service state.
PBNJ parses the data from a scan and stores it in a database. PBNJ uses
1.2.21 PBNJ 2.04 Nmap to perform scans.
1.2.21.1 OutputPBNJ Program for querying an existing PBNJ database
Program for running nmap scans and storing the results in a PBNJ 2.0
1.2.21.2 ScanPBNJ database
Genlist returns a list of hosts by sending out ping probes. Apart of the PBNJ
1.2.21.3 Genlist 2.0 suite of tools to monitor changes on a network.
Vulnerability Identification
GUI based tool designed to automate the process of blind SQL injection. It
works by profiling response pages as true or false from known cases, then
1.3.1 Absinthe moves on to identify unknowns as true or false.
Bruteforce Exploit Detector (BED) is a suite of scripts that automatically tests
implementations of different protocols for buffer-overflows and format string
vulnerabilities, but bombarding the server with random strings of varying
1.3.2 Bed length.
1.3.3 CIRT Fuzzer TCP/UDP Fuzzer
1.3.4 Cisco Auditing Tool Auditor for cisco network devices (IOS devices)
1.3.5 Cisco Enable Bruteforcer Bruteforce tool that attempts unbridaled access to an IOS device
Script that targets vulnerabilities in IOS devices and catalyst products. Cisco [13] - 0 Encoding IDS Bypass Vulnerability (UTF)
has probably patched all of the vulnerabilities this script can exploit, but it's [14] - Cisco IOS HTTP Denial of Service Vulnerability
1.3.6 Cisco Global Exploiter good for practice.
1.3.7 Cisco Scanner Scans a network range for Cisco IOS devices
A mass scanning application layer fingerprinting and exploitation tool to
discover and attack remote Cisco hosts running telnet, ssh, web, tftp, ntp,
1.3.8 Cisco Torch and snmp services.
http source dump utility that allows specified tag filtering on the command
1.3.9 Curl line
unicornscan -msf -s 1.1.1.3 0r 340 -Iv -epgsqldb www.domain.tld/21:80
runs in connect mode with an apparent source address of 1.1.1.33 at a rate of
340 packets per second. Results will be displayed as they are found -I and the
ouput will be verbose -v
self-explanitory TBD
xprobe2 -v -D 1 -D2 1.1.1.3
Launches an OS fingerprinting attempt targeting 1.1.1.3. Modules 1 and 2
whichj are reachability tests will be disabled, so probes will be sent even if
One of the many OS fingerprinting tools out there target is down. Output will be verbose.
Because it uses nmap for scanning, it's easily extendable, and it
allows for continuity when using previous scans that might have been
performed. I wonder if the PBNJ database is a flat file, which it most
likely is. Looks interesting… experimentation will ensue.
Because it uses nmap for scanning, it's easily extendable, and it
allows for continuity when using previous scans that might have been
performed. I wonder if the PBNJ database is a flat file, which it most
likely is. Looks interesting… experimentation w
Because it uses nmap for scanning, it's easily extendable, and it
allows for continuity when using previous scans that might have been
performed. I wonder if the PBNJ database is a flat file, which it most
likely is. Looks interesting… experimentation will ensue.
This list can be used to perfom a scan of machines using PBNJ or
nmap. genlist [input type] [general options]
GUI application --- see documentation or:
Logical blind SQL inject attacks http://www.0x90.org/releases/absinthe/docs/basicusage.php
Basically a remote exploit fuzzer with no real logic behind it's "user"
supplied data.
Useful for password guessing, bruteforcing, dictionary attacks,
scanning multiple hosts, IOS devices. Even has a quiet mode
attribute.
Bruteforce Attack Tool for Cisco Devices enabler <ip> [-u user] <pass> <passlist> [port]
Exploits the IOS authentication protocol for IOS devices.
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access
Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service
Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service
Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow
Vulnerability
see man file or instructions
Scans for cisco devices on a network range. ciscos <ip> <class> [option]
A mass scanning application layer fingerprinting and exploitation tool
to discover and attack remote Cisco hosts running telnet, ssh, web,
tftp, ntp, and snmp services. See documentation
advanced use of this program allows scriptable html parsing and
output. Useful for scraping pages of specific content
 What this tool does: "Fuzzing" is an automated software testing technique
that generates and submits random or sequential data to various areas of an
application in an attempt to uncover security vulnerabilities. For example,
when searching for buffer overflows, a tester can simply generate data of
various sizes and send it to one of the application entry points to observe
1.3.10 Fuzzer 1.2 how the application handles it.
GFI LANguard Network Security Scanner (N.S.S.) checks your network for
all potential methods that a hacker might use to attack it. By analyzing the
operating system and the applications running on your network, GFI
1.3.11 GFI LanGuard 2.0 LANguard N.S.S. identifies possible security holes.
Getsids tries to enumerate Oracle Sids by sending the services command to
1.3.12 GetSids the Oracle TNS listener
1.3.13 HTTP PUT
Halberd discovers HTTP load balancers. It is useful for web application
1.3.14 Halberd security auditing and for load balancer configuration testing.
httprint is a web server fingerprinting tool. It relies on web server
1.3.15 Httprint characteristics to accurately identify web servers.
httprint is a graphical web server fingerprinting tool. It relies on web server
1.3.16 Httprint GUI characteristics to accurately identify web servers.
1.3.17 ISR-Form Retieves the Form data from a web page
1.3.18 Jbrofuzz JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing.
1.3.19 List-Urls parse out urls from a webpage and list them on STDOUT.
1.3.20 Lynx text based web browser
See documentation
Alerts you to weaknesses before a hacker can find them
Usage: /pentest/web/put.pl -h <host> -l <file>
/pentest/web/put.pl -h target -r /cmdasp.asp -f cmdasp.asp
Useful for web application security auditing and for load balancer
configuration testing
Can be used to detect web enabled devices which do not have a
server banner string, such as: wireless aps, routers, switches, cable
modems. Uses http based signature strings to identify targeted web see man page or
servers. http://net-square.com/httprint
see man page or
http://net-square.com/httprint
Form data is useful for identifying xss vulnerabilities and performing
MITM attacks
allows for the identification of certain classess of security
vulnerabilities, by means of creating malformed data and having the
network protocol in question consume the data.
useful for scraping webpages and websource of embedded links
useful for non-taxing web functionality

1.3.23 Merge Router Config

scanner is an extremely modular plugin based security scanner written
entirely in JAVA to allow the use of JDBC Type IV drivers when scanning
1.3.24 Metacoretex databases
Metoscan is a tiny tool for scanning the HTTP methods supported by a web
server. It works testing a URL and checking the responses for the different
1.3.25 Metoscan probes.
Mezcal is an HTTP/HTTPS bruteforcing tool allowing the crafting of requests
1.3.26 Mezcal HTTP/S and insertion of dynamic variables on-the-fly.

Mibble is an open-source SNMP MIB parser (or SMI parser) written in Java.
1.3.27 Mibble MIB Browser It can be used to read SNMP MIB files as well as simple ASN.1 files.
Mistress in an 'Application Sadism Environment' and can also be called a
fuzzer. It is written in Python and was created for probing file formats on the
fly and protocols with malformed data, based on pre-defined patterns. It is
recommended that the project site be visited for further documentation and
1.3.28 Mistress use cases.
Nikto is an Open Source (GPL) web server scanner which performs
1.3.29 Nikto comprehensive tests against web servers for multiple items
OAT (Oracle Auditing Tools) - is a set of tools which can be used to audit
1.3.30 OAT Oracle databases running on the Microsoft Windows platform.
1.3.31 Onesixtyone SNMP Scanner
Tested against most major Linux distributions. Gives a remote nobody
shell on Apache and remote root on other servers. Includes an
OpenSSL vulnerability scanner scans for a remote exploit for the KEY_ARG OpenSSL vulnerability scanner and a detailed vulnerability analysis.
1.3.32 OpenSSL-Scanner overflow in OpenSSL 0.9.6d and older Only Linux/x86 targets are supported.
1.3.33 Paros Proxy Java developed web proxy
see documentation or
1.3.34 Peach Python based cross-platform application fuzzer very versitile fuzzer http://peachfuzz.sourceforge.net/docs/tutorial/peach-tutorial.htm
RPCDUMP is a program which provides console access to the RPC APIs in
1.3.35 RPCDump Windows.

1.3.36 RevHosts Python based tool to accelerate Passive Information Gathering
A SMB bruteforcer which tries approx. 1200 logins/sec on Windows 2000
1.3.37 SMB Bruteforcer because of the timeout bug.
A LanManager-like simple client for Unix The Samba software suite is a
collection of programs that implements the SMB protocol for unix systems,
allowing you to serve files and printers to Windows, NT, OS/2 and DOS
1.3.38 SMB Client clients.
1.3.39 SMB Serverscan Scans for machines running Samba servers.
Netbios Auditing Tool This tool can perform various security checks on
remote servers running NetBIOS file sharing services. It is capable of
enumerating shares and make break-in attempts using a (user-provided) list Absolutely necessary when testing or infiltrating a primarily windows
1.3.40 SMB-NAT of users and passwords.
1.3.41 SMBdumpusers Netbios Auditing Tool to dump users of remote windows hosts
Netbios Auditing Tool to retrieve serverside information about a windows
1.3.42 SMBgetserverinfo host
1.3.44 SNMP Walk
1.3.45 SQL Inject
1.3.46 SQL Scanner
1.3.47 SQLLibf
SQLBrute is a tool for brute forcing data out of databases using blind SQL
injection vulnerabilities. It supports time based and error based exploit types
1.3.48 SQLbrute on Microsoft SQL Server, and error based exploit on Oracle.
Smb4K is a SMB/CIFS share browser for KDE. It uses the Samba software
1.3.50 Smb4K suite to access the SMB/CIFS shares of the local network neighborhood.
1.3.52 Snmp Enum Perl written script to enumerate information on machines running SNMP
1.3.53 Spike Linux based network protocol analysis tool.
A free tool to perform a fairly detailed black-box assessment of WWW
1.3.54 Stompy session identifier generation algorithms.
Powerful TCP port scanner, pinger, resolver. SuperScan is a powerful
1.3.55 SuperScan connect-based TCP port scanner, pinger and hostname resolver.
1.3.56 TNScmd Used to communicate with Oracle's TNS listener protocol.
1.3.57 Taof Taof is a GUI cross-platform Python generic network protocol fuzzer
1.3.59 Wapiti Wapiti allows you to audit the security of your web applications.
Yersinia is a network tool designed to take advantage of some weakeness in
different network protocols. It pretends to be a solid framework for analyzing
1.3.60 Yersinia and testing the deployed networks and systems.
Enumerates information about databases, users, extended stored
1.3.61 sqlanlz procedures etc. outputting into an HTML report.
• vhh : We use search engine that return host that are on an IP (Virtual
Host hacking)
• Findsubdomains : module that returns subdomains of a domains.
• Dnsbruteforce : dnsbruteforce is now a module of revhosts. It use
multithread (1 thread for each dns server) and made dns resolution of
hostnames of a domain.
• Getdirectories : look on search engine for directories that are on a
host (no connection to the host).
• subnet : look for IP that have the same tech contact.
• getmail : module that search on internet for mail adress see documentation or:
http://www.revhosts.net
Useful for legacy machine penetration attempts
Absolutely necessary when testing or infiltrating a primarily windows
based network
Absolutely necessary when testing or infiltrating a primarily windows
based network
based network
Absolutely necessary when testing or infiltrating a primarily windows
based network
Absolutely necessary when testing or infiltrating a primarily windows
based network
Very loud and will easily get identified by most IDS systems
see http://www.immunitysec.com/resources-freesoftware.shtml
Session IDs are commonly used to track authenticated users, and as
such, whenever they’re predictable or simply vulnerable to brute-force
attacks, we do have a problem.
The tool has already revealed several problems in proprietary software
platforms such as BEA WebLogic and Sun Java System Web Server
(both have problems with their JSESSIONIDs).
Multithreaded and asynchronous techniques make this program
extremely fast and versatile.
The TNS listener (aka tnslsnr) is the network interface between a
database client and the database server. tnslsnr listens on port
1521/tcp, but the DBA can change this (I've seen listeners on port
1541/tcp as well.) fwiw, nmap-services lists these as ncube-lm and
rds2, respectively.
. It has been designed for minimizing set-up time during fuzzing
sessions and it is especially useful for fast testing of proprietary or
undocumented protocols. See man pages
. It performs "black-box" scans, i.e. it does not study the source code
of the application but will scans the webpages of the deployed
webapp, looking for scripts and forms where it can inject data. Once it
gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a
script is vulnerable.
see man pages or http://.yersinia.net
 1.3.62 sqldict Carries out a dictionary based attack on the user(s) specified.
1.3.63 sqldumplogins Dump all user accounts from the MS SQL Server.
1.3.64 sqlquery Interactive query tool.
1.3.65 sqlupload Attempts to upload files to a MS SQL Server.

Penetration
Metasploit framework is an open-source platform for developing, testing and
Framework3-MsfC using exploit code Don’t leave home without it
1.4.2 Framework3-MsfUpdate Metasploit utility to update Metasploit using SVN
1.4.3 Framework3-Msfcli Metasploit command line interface Quickest interface to use
1.4.4 Framework3-Msfweb Metasploit interactive webserver and interface
Cycles through every potentail metasploit exploit in attempts to
1.4.5 Init Pgsql (autopwn) Metasploit autopown engine successfully compromise the host
1.4.6 Milw0rm Archive An archive of exploitable code from Milw0rm.com useful for obtaining PoC code http://www.milw0rm.com
1.4.7 MsfCli Metasploit command line interface
The msfconsole interactive command-line interface provides a command set
that allows the user to manipulate the framework environment, set exploit
options, and ultimately deploy the exploit. Unrecognized commands are
passed to the underlying operating system; in this way, a user can run
1.4.8 MsfConsole reconnaissance tools without having to leave the console
1.4.9 MsfUpdate Uses SVN to update Metasploit code and exploits.
openssl-too-open is a remote exploit for the KEY_ARG overflow in OpenSSL
0.9.6d and older. Tested against most major Linux distributions. Gives a
remote nobody shell on Apache and remote root on other servers. Includes
an OpenSSL vulnerability scanner and a detailed vulnerability analysis. Only
1.4.11 OpenSSL-To-Open Linux/x86 targets are supported.

Privilege Escalation
Driftnet is a program which listens to network traffic and picks out images useful for sniffing out image files of other users on the network, can
1.5.7 Driftnet from TCP streams it observes. also be used to hijack social networking pages/profiles

dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively

monitor a network for interesting data (passwords, e-mail, files, etc.).
arpspoof, dnsspoof, and macof facilitate the interception of network
traffic normally unavailable to an attacker (e.g, due to layer-2
switching). sshmitm and webmitm implement active monkey-in-the-
middle attacks against redirected SSH and HTTPS sessions by
1.5.8 Dsniff dsniff is a collection of tools for network auditing and penetration testing. exploiting weak bindings in ad-hoc PKI. see documentation
useful for visually identifying hosts a network, and their communication
1.5.9 Etherape EtherApe is a graphical network monitor for Unix modeled after etherman links. It can filter traffic to be shown in realtime. see documentation
1.5.10 EtterCap A powerful and flexible tool for man-in-the-middle attacks.
1.5.12 HSRP Spoofer
1.5.13 Hash Collision
1.5.14 Httpcapture

Uses a dictionary attack to test for weak or simple passwords on one

1.5.15 Hydra Password cracker or many remote hosts running a variety of different services.

Uses a dictionary attack to test for weak or simple passwords on one

1.5.16 Hydra GTK Front end GUI to the command line Hyrdra application or many remote hosts running a variety of different services.
1.5.17 ICMP Redirect
1.5.18 ICMPush
1.5.19 IGRP Spoofer
Sniffer, which listens to IRDP requests (solicitation) and answers. Sends out
1.5.20 IRDP Responder periodic updates. see documenation
1.5.21 IRDP Spoofer
1.5.22 John Password cracker Quick offline password cracker see documenation
The tool supports both session- and basic-authentication. It runs 20
Lodowep is a tool for analyzing password strength of accounts on a Lotus simultaneous connection guessing passwords specified in a
1.5.23 Lodowep Domino webserver system. dictionaryfile against the supplied userfile
Passively monitoring email traffic on a network. Useful for sniffing out
Mailsnarf Passively monitor a network for interesting data being sent across pop and smtp protocols. Very useful in semi-blind recon of a network
1.5.24 Mailsnarf a network/interface range.

It currently has modules for the following services: CVS, FTP, HTTP,
IMAP, MS-SQL, MySQL, NCP (NetWare), PcAnywhere, POP3,
Medusa is a speedy, massively parallel, modular, login brute-forcer for PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (VRFY), SNMP, SSHv2,
1.5.25 Medusa network services, created by the geeks at Foofus.net SVN, Telnet, VmAuthd, VNC, and a generic wrapper module.
Passively monitors a network for interesting data being sent across the
1.5.26 Msgsnarf network. Msgsnarf shall capture messages on a network/interface.
 . It's handy for when you just want to sit down and specify exactly what
packets you want to craft. It supports crafting ARP, DNS, Ethernet,
Nemesis is a packet-crafting program that can forge raw packets up from the ICP, IGMP, IP, RIP, TCP, and UDP packets. Similar in concept to the
1.5.27 Nemesis Spoofer Ethernet layer up and put them on the wire "hping" program.
1.5.28 NetSed
1.5.29 Netenum
1.5.30 Netmask

based on libpcap and it has been written in a portable way in order to

virtually run on every Unix platform and on Win32 as well. ntop users
can use a a web browser (e.g. netscape) to navigate through ntop
(that acts as a web server) traffic information and get a dump of the
network status. In the latter case, ntop can be seen as a simple
1.5.31 Ntop A network traffic probe that shows the network usage RMON-like agent with an embedded web interface.
PHoss is a sniffer designed to find HTTP, FTP, LDAP, Telnet, IMAP4 and
POP3 logins/passwords on your network. It also sniffs the VNC
1.5.32 PHoss challenge/response handshake.
It allows you to create and send any possible packet or sequence of
1.5.33 PackETH packETH is a Linux GUI packet generator tool for ethernet. packets on the ethernet.
1.5.34 Rcrack RainbowCrack tool is a hash cracker. Rainbow Tables crack hashed passwords in a fraction of the time. rcrack *.rt -h hast.txt
SIPcrack is a SIP login sniffer/cracker that contains 2 programs: sipdump to
capture the digest authentication and sipcrack to bruteforce the hash using a When snatching voice traffic off the network these two tools have no
1.5.35 SIPdump wordlist or standard input. substitute. sipdump [options] <dumpfile>
1.5.36 SMB Sniffer
ICMP packets fully customized from command
line. The main purpose is to replace/complement the nice ping
command
1.5.37 Sing A fully programmable ping replacement see documenation for ping enhancements
1.5.38 TFTP-Brute
1.5.39 THC PPTP

Tcpick is able to save the captured flows in different files or displays tcpick -I eth0 "port 80" -wRub
them in the terminal, and so it is useful to sniff files that are transmitted log http data in unique files (client and server mixed together)
via ftp or http. It can display all the stream on the terminal, when the
connection is closed in different display modes like hexdump, tcpick -I eth0 -C -bCU -T1 "port 25"
1.5.40 TcPick A TCP stream sniffer and connection tracker hexdump + ascii, only printable charachters, raw mode and so on display client data only of the first smtp connection
1.5.41 URLsnarf
vncrack -h target.host.com -w wordlist.txt [options]
to crack an online host
Brute force the hell out of a server. Additional, you may pass a
An extremely loud brute force tool to be used on servers or password files Registry key with the encrypted password or the UNIX password file to vncrack 0C /home/some/user/.vnc/passwd
1.5.42 VNCrack (passwd) VNCrack and it does this simple fixed key decryption for you. to crack a password file offline
1.5.43 WebCrack
Best free graphical traffic analyzer there is. Don’t leave home without see documentation or
1.5.44 Wireshark GUI based network traffic analyzer it. www.wireshark.org

Wireshark with Wifi Injection Patch allows the user to select a packet opened
1.5.45 Wireshark Wifi with wireshark and edit it and reinject throught LORCON injection library.
wyd is a password profiling tool that extracts words/strings from supplied It supports different filetypes: plain, html, php (partially), doc, ppt, mp3,
1.5.46 WyD files and directories pdf, jpeg, odp/ods/odp and extracting raw strings.

It works by polling the keyboard, by default every hundredth of a

Xspy takes advantage of an oversight in X Windows (R5 & R6) to find out second. Polling the keyboard is not affected by any secure modes,
1.5.47 XSpy about keypresses even in "secure mode". which "grab" the keyboard to shut off events being sent out.
Chntpw is my memory works good is a Windows NT 2K XP user pasword
tool for delete passwords and restrictions from SAM database on installed
system theirs not crack like brute force passwords just only delete
passwords and restrictions for Administrators and simple user in SAM
1.5.48 chntpw database .

Maintaining Access

net start 3proxy

1.6.1 3proxy Combined proxy server. Uses a config file to read its configuration. Installs and starts as a proxy service in NT/2k/XP net stop 3proxy
proxy HTTP proxy server, binds to port 3128 binds to proxy just like squid =)
ftppr FTP proxy server, blinds to port 21 self explanatory
socks SOCKS 4/5 proxy, blinds localhost to port 1080 self exlanatory
In username configuration for your email reader, set someuser@host.yes to
pop3p POP3 proxy server, blinds to port 110. 0 Must speficy POP3 username as user@target[:port] obtain mail for somuser from @pop.somehost.ru via proxy
TCP port mapping. Maps some TCP port on local machine to TCP port on useful for exploiting a trust relationship after an interface, or
tcppm remote host identification spoof from the attacker
UDP port mapping. Maps some UDP port on local machine to UDP port on useful for exploiting a trust relationship after an interface, or
udppm a remote host identification spoof from the attacker
 mycrypt Program to obtain a crypted password from cleartext. Supports both MD5/crypt and NT password.
dighosts Utility for building networks list from a web page Execellent utility for formatting output from dig

1.6.2 Backdoors
Cryptcat is the standard netcat enhanced with twofish encryption with ports
for WIndows NT, BSD and Linux. Twofish is courtesy of counterpane, and
1.6.3 CryptCat cryptix. Netcat with encryption functionality built in.
1.6.4 HttpTunnel Client
1.6.5 HttpTunnel Server
1.6.6 ICMPTX
This is a piece of software that lets you tunnel IPv4 data through a DNS Useful in situations where internet access is firewalled and therefore
1.6.7 Iodine server. limited, but DNS queries are allowed (as usual). iodine [-v] [-h][-f][-u user] [-t chrootdir] [-d device] [nameserver] topdomain

Useful in situations where internet access is firewalled and therefore

1.6.8 NSTX Tunnelling tool that performs IP traffic over DNS limited, but DNS queries are allowed (as usual).

Privoxy is a web proxy with advanced filtering capabilities for protecting Privoxy has a very flexible configuration and can be customized to suit
privacy, modifying web page data, managing cookies, controlling access, individual needs and tastes. Privoxy has application for both stand-
1.6.9 Privoxy and removing ads, banners, pop-ups and other obnoxious Internet junk alone systems and multi-user networks.

that connects stdin and stdout to a server somewhere on the network, Use can include tunnelling SSH sessions through HTTP(S) proxies,
1.6.10 ProxyTunnel through a standard HTTPS proxy. allowing activity that would otherwise be restricted
1.6.11 Rinetd

Designed from the ground up to be fast and yet small, it is an ideal

solution for sites where a full-featured HTTP proxy is required, but the
system resources required to run a more demanding HTTP proxy are
1.6.12 TinyProxy tinyproxy is a lightweight HTTP proxy unavailable. see documentation or man file

designed to be portable and offer strong encryption. It runs on Unix-

like operating systems and on Microsoft Win32. sbd features AES-
CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program
execution (-e option), choosing source port, continuous reconnection
with delay, and some other nice features. Only TCP/IP communication
1.6.13 sbd sbd is a Netcat-clone is supported.

Each of these data channels may be a file, pipe, device (serial line etc.
or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an
SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.),
the GNU line editor (readline), a program, or a combination of two of
socat is a relay for bidirectional data transfer between two independent data these. These modes include generation of "listening" sockets, named
1.6.14 socat channels. pipes, and pseudo terminals.

Covering Tracks
1.7.1 Housekeeping

Radio Network Access

1.8.1.1 AFrag First implementation of the Fragmentation Attack on Linux.
a proof-of-concept to demonstrate weaknesses in the LEAP and PPTP
1.8.1.2 ASLeap protocols
. It implements the standard FMS attack along with some
optimizations like KoreK attacks, thus making the attack much faster
Aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can compared to other WEP cracking tools. In fact, aircrack is a set of
1.8.1.3 Air Crack recover keys once enough data packets have been captured tools for auditing wireless networks.
1.8.1.4 Air Decap decrypts WEP/WPA capture files. Part of the aircrack suite.
1.8.1.5 Air Replay 802.11 packet injection program. Part of the aircrack suite.
Checks wifi interfaces status and places the interface into monitor mode.
1.8.1.6 Airmon Script Part of the aircrack suite.
It uses a config file with multiple config sections to respond to specific
data packets with arbitrary content. For example, in the HTML goatse
example, we look for any TCP data packets starting with "GET" or
Airpwn requires two 802.11 interfaces in the case where driver can't inject in "POST" and respond with a valid server response including a
1.8.1.7 Airpwn monitor mode (lots of chipsets do reference to the canonical goatse image.
Airsnarf is a simple rogue wireless access point setup utility designed to Demonstrates an inherent vulnerability of public 802.11b hotspots--
demonstrate how a rogue AP can steal usernames and passwords from snarfing usernames and passwords by confusing users with DNS and
1.8.1.8 AirSnarf public wireless hotspots. HTTP redirects from a competing AP.
is a SoftAP acting much like karma it will respond to any request probe works by using monitor mode and injection allowing a simulated
1.8.1.9 Airbase allowing may client side attacks to be preformed master mode.
1.8.1.10 Airodump 802.11 packet capture program. Part of the aircrack suite.
1.8.1.11 Airoscript aircrack-ng based wireless cracking script.
 . AirSnort operates by passively monitoring transmissions, computing
1.8.1.12 Airsnort AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys the encryption key when enough packets have been gathered.
Designed to audit the pre-shared key (PSK) selection for WPA networks
1.8.1.13 CowPatty based on the TKIP protocol
As part of a honeypot or as an instrument of your site security plan,
Black Alchemy's Fake AP generates thousands of counterfeit 802.11b Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other perl fakeap.pl --interface wlan0 --words lists/stefan-wordlist.txt --vendors
1.8.1.14 FakeAP access points. undesirables. lists/stefan-maclist.txt
1.8.1.15 GenKeys
1.8.1.16 Genpmk
If the probed network name matches a common hotspot name,
Hotspotter will act as an access point to allow the client to authenticate
Hotspotter passively monitors the network for probe request frames to and associate. Once associated, Hotspotter can be configured to run a
identify the preferred networks of Windows XP clients, and will compare it to command, possibly a script to kick off a DHCP daemon and other
1.8.1.17 Hotspotter a supplied list of common hotspot network names scanning against the new victim.

Wireless sniffing tools discover clients and their preferred/trusted

networks by passively listening for 802.11 Probe Request frames.
From there, individual clients can be targetted by creating a Rogue AP
for one of their probed networks (which they may join automatically) or
using a custom driver that responds to probes and association
KARMA is a set of tools for assessing the security of wireless clients at requests for any SSID. Higher-level fake services can then capture
1.8.1.18 Karma multiple layers. credentials or exploit client-side vulnerabilities on the host.

Kismet will work with any wireless card which supports raw monitoring
(rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
Kismet identifies networks by passively collecting packets and
detecting standard named networks, detecting (and given time,
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion decloaking) hidden networks, and infering the presence of
1.8.1.19 Kismet detection system. nonbeaconing networks via data traffic.
1.8.1.20 Load IPW3945
1.8.1.21 Load acx100
1.8.1.22 MDK2
1.8.1.23 MDK2 for Broadcom
A GNU/Linux utility for viewing/manipulating the MAC address of network
1.8.1.24 MacChanger interfaces
1.8.1.25 Unload Drivers
1.8.1.26 Wep_crack
1.8.1.27 Wep_decrypt
Wifitap allows direct communication with an associated station to a
Wifitap is a proof of concept for communication over WLAN networks using given access point directly, whilst not being being associated
1.8.1.28 WifiTap traffic injection ourselves or being handled by access point.

It implements common tools to perform checks (association, dhcp,

wep cracking, bruteforcing wpa-psk, etc) against the discovered
access point list based on profile settings. It can use multiple cards to
1.8.1.29 Wicrawl wicrawl is an automated wifi scanner and auditor. run checks against multiple APs at the same time.
When user wants to connect to a network, Wireless Assistant opens
up its wizards and guides the user through Wi-Fi settings. After a
Wireless Assistant scans for wireless access points and displays link quality, successful connection is made the settings are remembered so next
1.8.1.30 Wlassistant encryption and other useful information. time the user won't have to enter them again.

VOIP & Telephony Analysis

Pcapsipdump is a tool for dumping (recording) SIP sessions (and RTP
traffic, if available) to disk in a fashion similar to "tcpdump -w" (the format is the data is saved with one file per SIP session. Even if there are thousands of
1.9.1 PcapSipDump exactly the same). concurrect SIP sessions, each goes to separate file

Sipsak is a small command line tool for developers and administrators of

1.9.2 SIPSak Session Initiation Protocol (SIP) applications. It can be used for some simple tests on SIP applications and devices.
SIPcrack is a SIP login sniffer/cracker that contains 2 programs: sipdump to
capture the digest authentication and sipcrack to bruteforce the hash using a
1.9.3 SIPcrack wordlist or standard input.
SIPcrack is a SIP login sniffer/cracker that contains 2 programs: sipdump to
capture the digest authentication and sipcrack to bruteforce the hash using a
1.9.4 SIPdump wordlist or standard input.
 It includes a few basic SipStone user agent scenarios (UAC & UAS)
and establishes and releases multiple calls with the INVITE and BYE
methods. It also reads XML scenario files describing any performance
testing configuration. It features the dynamic display of statistics about
running tests, periodic CSV statistics dumps, TCP, UDP, or TLS over
IPv4 or IPv6 over multiple sockets or multiplexed with retransmission
management, regular expressions and variables in scenario files,
conditional branching, and dynamically-adjustable call rates. RTP play
1.9.5 SIPp Sipp is a performance testing tool for the SIP protocol. (voice, video, and RFC2833 DTMFs) is also supported.
To sum up functionality in one sentence it aides in both locating and
1.9.6 Smap smap is a mashup of nmap and sipsak fingerprinting remote SIP devices.

Digital Forensics

• Extract unallocted space

• Extract strings (ASCII and Unicode) from allocated and unallocated
• Sort by file types
• Sort by images and create thumbnails
• Make foremost run on images
This tool should help you to make several time consuming tasks in • Scheduling
1.10.1 Allin1 Sleuthkit/autopsy in one row:
The Autopsy Forensic Browser is a graphical interface to the command line
digital investigation tools in The Sleuth Kit. Together, they allow you to
1.10.2 Autospy investigate the file system and volumes of a computer.
dcfldd is an enhanced version of GNU dd with features useful for forensics
1.10.3 DCFLDD and security.
dd_rescue copies data from one file or block device to another. It is intended It uses large block sizes to quicken the copying, but falls back to small
for error recovery, so, by default, it doesn't abort on errors, and doesn't blocks upon encountering errors. It produces reports that allow you to
1.10.4 DD_Rescue truncate the output file. keep track of bad blocks.

This process is commonly referred to as data carving. Foremost can

work on image files, such as those generated by dd, Safeback,
Encase, etc, or directly on a drive. The headers and footers can be
specified by a configuration file or you can use command line switches
to specify built-in file types. These built-in types look at the data
Foremost is a console program to recover files based on their headers, structures of a given file format allowing for a more reliable and faster
1.10.5 Foremost footers, and internal data structures recovery.

It looks at "magic bytes" in file contents, so it can be used both as an

undelete utility and for recovering a corrupted drive or partition. As
long as the file data is there, it will find it.
It works on any file system, but on very fragmented file systems it can
only recover the first chunk of each file. Practical experience (this
program was not written for fun) shows, however, that chunks of 30-
Magic Rescue scans a block device for file types it knows how to recover 50MB are not uncommon.
1.10.6 Magicrescue and calls an external program to extract them.
Found messages can be either displayed on standard output,
mboxgrep is a small utility that scans a mailbox for messages matching a counted, deleted, piped to a shell command or written to another
1.10.7 Mboxgrep regular expression mailbox
Memfetch is a yet another small but useful security tool that allows instant
and non-intrusive dumping of ALL process memory, including the information
1.10.8 Memfetch absent from core files. This is a neat way to see what, exactly, is running at a particular PID.
Custom perl script that can be used to find strings (regular expression
matches) in memfetch dump files in a more useful way then grep could - that
1.10.9 Memfetch Find is, finding exact memory locations.
Index.dat (Internet Explorer history file) reader. Output is comma delimited
1.10.10 Pasco for analysis in favorite spreadsheet.
Rootkit Hunter scans files and systems for known and unknown rootkits, . The package contains one shell script, a few text-based databases,
1.10.11 Rootkithunter backdoors, and sniffers. and optional Perl modules.

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that The current focus of the tools is the file and volume systems and TSK
1.10.12 Sleuthkit allow you to investigate a computer. supports FAT, Ext2/3, NTFS, UFS, and ISO 9660 file systems.
1.10.13 Vinetto Vinetto is a forensics tool to examine Thumbs.db files

Reverse Engineering
Console debugger to step through instructions and locate breakpoints in
1.11.1 GDB Console GUI executables Standard nix console debugger. Don’t leave home without it
1.11.2 GDB GNU Debugger GUI Debugger, works the same as GDB Don’t leave home without it
gdbserver is a control program for Unix-like systems, which allows you to
connect your program with a remote GDB via target remote---but without
1.11.3 GDB Server linking in the usual debugging stub.
. Besides ``usual front-end features such as viewing source texts,
DDD has become famous through its interactive graphical data
1.11.4 GNU DDD GNU DDD is a graphical front-end for command-line debuggers display, where data structures are displayed as graphs.
 Hexdmup is a simple program for dumping binary files in hexadecimal
1.11.5 Hexdump format. It provides both hexadecimal and ascii columns.
View and edit files in hexadecimal or in ASCII. The file can be a device as
the file is read a piece at a time. You can modify the file and search through
1.11.6 Hexedit it.
1.11.7 OllyDBG 32-bit Disassembler for Win32 platforms Don’t leave home without it